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(57) Abstract: The invention provides a method and system for scanning specialized compntii^ devices for vinises. In a piefened 
cmbocfiment, a filer is connected to one or mote supplementaiy compodng devices that scan requested files to ensure they are vims 
Bnee pnor to dehvcry to end nseis. When an end user teqnests a file the following steps occur Fust, the filo- determines whether the 
file requested must be scanned before deMvc^r to the end user. Second, the filer a channel to one of the external computine 
devices ai^ sends die filename. Third, the external compuUng device opens the file and scans it Fourth, the external computinfi 
device notifies the filer the results of the file scan operation. Fifth, the filer sc^ 
It may do so. 
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DECENTRALIZED APPLIANCE VIRUS SCANNING 



Background of the Invention 

1. Field of the Invention 

This invention relates to virus scamiing m aiietwoiW environm^^ 

2. RelatedArt 

Computer networidng and the Int^et in particular offer end users 
unprecedented access to informatidn of all types on a global basis. Access to 
, information can be as simple as connecting some type of computing device using a - 
standard phone line to anetwoik. With the proliferation of wireless communication, 
users can now access computer netwodcs fioni practically anywhere. 

Connectivity of this magnitude has magnified the impact of conq)uter 
viruses. Viruses such as "Melissa" and "I love you" had a devastating impact on 
con^)uter systems worldwide. Costs for dealing with viruses are often measured in 
millions and tens of millions of dollars. Recenfly it was shown that hand-held 
conqmti]](g devices are also susceptible to viruses. 

Virus protection software can be very effective in dealing widi viruses, 
and vkus protection ioftwairc is Awddy avail^le for general computing devices such 
as personal conq)uters. There are, however, problems unique to specialized 
conqjuting devices, aich as filras ((teyi(Ms defeated to storage and retrieval of data). 
Off-the-shelf virus protection software will not nm on aspecialized computing device 
unless it is modified to do so, and it can be very aqjensive to rewrite software to work 
on anofiier platform. :> 



1 
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A fiist known method is to scan for viruses at the When 
the data is being provided by a specialized computing device the specialized 
computing device must be scanned Device-specific virus protection software must 
be written in order to scan the files on the device. 

5 

While this first known method is effective in scanning files for viruses, 
it suffers fix)m several drawbacks. First, a company with a specialized computing 
device would have to dedicate considerable resources to creating virus protection 
software and maintaining up-to-date data files that protect against new viruses as they 
10 emerge. 

"r''-'-7-: Additionally, although a manufacturer of a .qpecialiTei^ fyimpntwyg 

device could enlist the assistance of a conq>any fliat creates noiainstream virus 
piotecti(m software to write the custom application and become a licensee this would 
IS create other problems, such as reliance on Ihe chosen vendor of the anti-virus 
software, con^atibility issues v/bsa hardware upgrades are effected, and a large 
financial expense. 

A second known method for protecting against computer viruses is to 
20 have the end user run anti-virus software on their client device. Anti-virus sofhrare 
packages are ofir^:ed by such conoqpanies as McAfee and Symantec. These programs 
are loaded during the boot stage of a con^uter and work as a background job 
monitoring memory and files as they are opened and saved 



25 While tiiis second known method is effective at intercepting and 

protectho^ the client device fii>m infection, it suffers from several drawbacks. It 
' plaicd; tihe burden of detection at die last possible link in the chairL If for any reason 
the virus is not detected prior to reaching the end user it is now at the conq)utmg 
device where it wiU do the most daniage (corruptirig files and s^Hcad^ 
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It is much better to sanitize a file at flie source from where it may be 
deUvered to milHons of end users rather than deliver the file and hope that the end 
user is prepared to deal with the file in the event the file is infected. End users often 
have older versions of anti- vinis software and/or have not updated the data files that 
ensure the software is able to protect agauist newly discovered viruses, thus making 
detection at the point of mass distribution even more critical. 

Also, hand-held computmg devices are susceptible to viiuses, but they 
arcpooriyequippedtohandlefliem. Generally, hand-held computing devices have 
yeiy limited memory resources compared to desktop systems. Dedicating a portion 
of these resources to virus protection severely lunits the ability of the hand-held 
device to p^onn effectively. Reliable vims scamiing at the information souree is the 
mc«t efgciatf an^ 



15 a«aii»t viruses is a constant battle. New v^ 

eveiyday requiring virus protection software manufacturer to come up with new data 
files (sohition algorithms used by anti-viius applications). By providing protection at 
the souree of the file, viruses can be ehmmated more efiBciently and effectively. 



Security of data m general is hnportant Equally important is the trust 
oftheenduser. llus comes fiom the reputation that precedes a con^iany. and 
conqwnies that engage m web commerce often live and die by their reputation. Just 
like an end user trusts that the credit card nrnnb^ they have just disclosed for a web- 
based sales transactiori is mare tfaey w^t files tiieyiweive to be just as secure 

. ; ^^^cp^ing^ it would be desirable to provide a technique for scannmg 
specialized computing devices for viruses and other malicious or unwanted content 
ftat may need to be changed, deleted, or otherwise modified. 



30 
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The invention provides a method and system for scanning specialized 
computing devices (such as filers) for viruses. In a preferred embodiment, a filer is 

5 connected to one or more supplementary computmg devices that scan requested files 
to ensure they are virus fiee prior to ddivery to end users. Whoa an end user requests 
a file &om the filer the foDowing steps occur: First, the filer determines whether the 
file requested must be scanned before delivery to the end user. Second, the filer 
opens a channel to one of the extemal computing devices and sends the filename. 

10 Third, the extemal computing device opens the file and scans it. Fourth, the extemal 
couiputing device notifies the fil^ the status of the file scan operation. Fifth, the filer 
sends the file to the end user provided the status indicates it may do so. 

This system is very efficient and efifective as a file needs only to be 
15 scanned one time for a virus unless the file has been modified or new data files 
protect against new viruses have been added. Scan reports for files that have been 
scanned may be stored in one or more of the extemal computing devices, in one or 
more filers, and some portion of a scan report may be delivered to end us^. 

20 In alternative embodiments of the invention one or more of the ext^nal 

computing devices may be running other siq>plementary appUcations, such as file 
compression and encryption, independentiy or in some combination. 

Brief Desotiption of tiie Drawings 

25 

Figure 1 shows a block diagram of a system for decentralized appliance 
virus scamung. 



Figure 2 sho>;^ a process flow diagram for a systmi for decentralized 
30 vims scaiming 
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Detailed Description of the Preferred KmhoHimftnt 



In the foUowing description, a preferred embodiment of the invention is 
described with regard to preferred process steps and data structures. Those skiUed in 
5 the art would recognize afler perusal of this appUcation that embodiments of the 
invention can be implemented using one or more general prapose processore or 
special puipose processors or other circuits adapted to particular process steps and 
data structures described herein, and that implementation of the process steps and 
data stractures described herein would not require undue experimentatidn or further 
10 invention. 

Lexicogrt^hy 

The following terms refer or relate to aspects of the invention as 
15 described below. The descriptions of general meanings of these tenns are not 
intended to be limiting, only illustrative. 

• Virus -in general, a manmade program or piece of code that is loaded onto a 
computer without the computer user's knowledge and runs against their 
wishes. Most viruses can also replicate themselves, and the more dangerous 
types of viruses are enable of transmitting themselves across networics and 
bypassing security systems. 

' • " ' ' server — in goieral, these terms refer to a relationship between two 

^ - devices, particularly to their relationshq> as cUoit and server, not necessarily to 

For example, but without limitation, a particular client device in a fiist 
. • .uvA 5^®^^ device, can serve as a server device m a second 

id^onshipwifli a second cUent device. In a preferred embodiment, there are 
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generally a relatively small niunber of server devices servicing a relatively 
larger niunber of client devices. 



10 



15 



client device and server device — in general, these terms refer to devices 
taking on the role of a client device or a server device in a client-server 
relationdiip (such as an HTTP web client and web server). There is no 
particular requirement that any client devices or server devices must be 
individual physical devices. They can each be a single device, a set of 
cooperating devices, a portion of a device, or some combination thereof 

For example, but without limitation, the client device and the server device in 
a client-server relation can actually be the same physical device, with a first set 
of software elements serving to perform client functions and a second set of 
software elements serving to perform server functions. 



• web client and web server (or web site) — as used herein the terms *Sveb 

clienf ' and ''web server" (or "web site") refer to any combination of devices or 
sofbvare taking on the role of a web client or a web server in a client-server 
enviromnent in tiie intemet, the world wide web, or an equivalent or extension 
20 thereof There is no particular requirement that web cUents must be individual 

devices. They can each be a single device, a set of cooperating devices, a 
portion of a device, or some combination thereof (such as for example a device 
providing web server services that acts as an agent of the user). 

25 As noted above, these descriptions of general meanings of these terms 

are not inteiided to be limiting, only illustrative. Ofli^ and furflier applications of the 
invention, including extensions of these terms and concepts, would be clear to those 
of ordinary skill in the art after i>erusing this q>plication. These otho* and further 
applications are part of the scqpe and spirit of the inv^tion, and would be clear to 

30 tfioseof ordinary skiU in the art» without furdier invention o^ 



6 



wo 02/44862 

System Elements 



PCT/USO 1/46688 



Figure 1 shows a block diagram of a system for decentralized appliance 
virus scanning. 

A system 100 includes a client device 1 10 associated wifli a user 1 1 1, a 
communications network 120, a ffler 130, and a processing cluster 140. 

The client device 110 includes a processor, a main memory, and 
software for executing instructions (not shown, but understood by one skiUed in the 
art). Although the client device 1 10 and ffler 130 are shown as separate devices there 
is no requirement tibat they be physically separate. 

In a prefaced embodiment the communicaticoi network 120 inchides 
the Internet In alternative embodiments, the communication networic 120 may 
inchide alternative forms of communication, such as an intranet, extranet, virtual 
private network, direct communication links, or some otiier combination or 
conjunction thereof 

A communications Imk 115 operates to coi^Ie the client device 110 to 
the conmianications network 120. 

The filer 130 includes a processor, a main memory, software for 
wwcuting it^ (not isihown, but understood by one skilled in die art), and a 
mass storage 131. Altiiough tiie cUent device 110 and ffler 130 are shown as separate 

is no requirement that they be separate devices. The filer 130 is 
connected to the communications network 120. 

. . ^ storage 131 inchides at least one ffle 133 that is equable of 

being requested by a client device 1 1 0. 
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The processing cluster 140 includes one or more cluster device 141 
each including a processor, a main memory, software for executing instructions, and a 
mass storage (not shown but understood by one skilled in the art). Altiiough the filer 
130 and the processing cluster 140 are shown as separate devices there is no 
requirement that diey be sq)arate devices. 

hi a preferred embodiment flie processing cluster 140 is a plurality of 
personal computers in an interconnected cluster C£q)able of intercommunication and 
direct communication with flie ffler 1 30* 

ITie cluster link 135 operates to connect the processing cluster 140 to 
the filer 130. The cluster link 135 may include non-uniform memory access ^ 
OMUMA), or communication via an intranet, extranet, virtual private netwod^ direct 
communication links, or some otfaa combination or conjunction fliereof. 

Method of Operation 

Figure 2 shows a process flow diagram for a system for decentralized 
appliance virus scanning. 

A method 200 includes a set of flow points and a set of steps. The 
system 100 performs the method 200. Although the method 200 is described serially, 
the steps of the method 200 can be performed by separate elements in conjunction or 
in parallel, ivhetfier asynchronously, in a pipelined manner, or otherwise. There is no 
particular requiremmt that the method 200 be performed ui the same oider in which 
this descr4>tion lists the stq>s, except where so indicated. 

'""'-v:'>C' 

At a flow point 200, the system 1 00 is ready to begin peif<»ming the 

meUiod200. 
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At a Step 201, a user 1 1 1 utilizes the client device 110 to initiate a 
request for a file 133 . The request is transmitted to the jBler 130 via the 
communications network 1 20. In a preferred embodiment the filer 1 30 is perfonning 
file retrieval and storage at the direction of a web server (not shown but understood 
5 by one skilled in the art). 

At a stqp 203, liie filer 130 receives the request for the file 133 and 
sends the file ID and path of the file 133 to the processing cluster 140 where it is 
received by one of the cluster device 141 . 

10 

At a step 205, the cluster device 141 uses the file ID and path to open 
the file 133 in the mass storage 131 of the filer 130. 

At a step 207, the cluster device 141 scans the file 133 for viruses. In a 
15 preferred embodiment, files are tasked to the processing cluster 1 40 in a round robin 
feshion. In alternative embodiments files may be processed individually by a cluster 
>j device 141, by multiple cluster device 141 simultaneously, or some combination 
thereof. Load balancing may be used to ensure TuiaTimym efficiency of processing 
within the processing cluster 140. 

20 

There are several vendors ofPenng viras protection software for 
personal conqniters, thus the operator of the filer 130 may choose whatever product 
they would like to use. They may even use combinations of vendors' products in the 
pirocesang cluster 140. In an alternative embodiment of the invention, continual 
25 scanning of every file 133 on the filer 130 may take place. 

The processing cluster 140 is highly scalable. Hie price of personal 
computers is low compdxed to dedicated devices, such as filers, therefore this 
configuration is very desirable. Additionally, a chister configuration offers redundant 
30 systeihs availability in case a cfaister device 141 feils - fiaiover and takeov^ is also 
" ) possible within flie processing cluster. 

9 
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At a step 209, the cluster device 141 transmits a scan report to tiie filer 
130. The scan report priinarily reports whether the file is safe to send Further 
information may be saved for statistical purposes (for example, how many files have / 

5 been identified as infected, was the virus software able to sanitize the file or was the 
file deleted) to a database. The database may be consulted to detennine whether the 
file 1 33 needs to be scanned before delivery \xpon receipt of a subsequrat request If 
the file 1 33 has not changed since it was last scanned and no additional virus data 
files have been added to the processmg cluster^ the file 133 probably does not need to 

10 be scanned. This means the file 133 can be delivered more quickly. 

Other intermediary £Q)plications may also run sq)arateiy^ in conjunction .:: ~ 
with other applications, or in some conibination thereof within the processing cluster 
140. Compression and encryptionutititiesai^ some examples of flieseappUcati 
IS These types of applications, including virus scanning, can be voy CPU intensive, ^ 
thus outsourcmg can yield better performance by allowing a dedicated device like a 
filer to do what it does best and fann out other tasks to the processing cluster 140. 

At a step 2 1 1, die filer 130 transmits or does not transndt the fiiie 133 to 
20 the client 1 10 based on its availability as reported following the scan by the 

processing cluster 140. Some portion ofthe scan r^rt may also be transmitted to 
the user. 

At this step, a request fi>r a file 133 has been received, tte 
25 been processed, and if possible a file 133 has been delivered The proems may be 
repeated at step 201 for subsequent requests. 



Generality of the Invention 

30 The invention has wide ^HcaWlity and geiws^^ 

processing requeste for files. { " ) 

10 
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The invention is ^plicable to one or more of; or some combination of, 
circunostances such as those involving: 

• file compression; 

• file enoyption; and 

• general outsourcing of CPU intensive tasks fix)m dedicated appliances to 
general purpose computers. 

Alternative EmbodimetUs 

Although preferred embodiments are disclosed herein, many variations 
are possible which remain within the concept, scope, and spirit of flie mvention, and 

Ihese variations would become clear to those skilled in the art after perusal o^ 
application. 
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1 . A method for operating a filer iBcluding the steps of: 

receiving at a first location a request fi"om a user for an object; } 
5 processing said request at a second location, wherein said stqp of 

processing includes at least one of the following: (1) searching for one or more 
recognizable patterns of data within said object, (2) compressing said object, and (3) 
encrypting said object; 

r^ponding to said request, wherein said step of responding includes 
1 0 delivery of a response to said user. 

2. The melfaod of claim 1, wherein said request is in an electronic foroL 

3. The method of claim 1, wherein said object is a file, 

4. The method ofclaim 3, wherein said stq) of processing said request 
fiirth^ includes the steps of: 

creating an access path fi^om said filer to a processing cluster; 
processing said file in said processing cluster; and 
20 generating a scan report wherein, said scan report is responsive to said 

processing of said file in said processing cluster. 

5. The method ofclaim 4, wherein said step of creating an access path 

includes sending the ID and path of said file fix>m said filer to said processing cluster, -it-v^^'^''^' --^ 

25 

6. Themethodof claimai 5, wherein said step of si^iding is accomp^ 
using non-unifonnmemoiy access. - - >; 



7. Hie mefhod of claim 5, whoein said step of sending is accoi^Iislusd 
30 using a communications netwoifc. ■ ' ' '-■ 

( "j 

12 
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8. The method of claim 5, wherein said step of sending is accomplished 
using a direct connection. 



9. The method of claim 4, wherein said step of processing of said file is 
pof onned by said processing cluster in a round robin fadiion for subsequent files 
received. 

10. The method of claim 4, wherein said step of processing of said file 
is acconq)lished in parts by more than one device in said processing clust^. 

11. The method ofclaim 4, wherein all files stored on said filer are 
scanned in a logical contixmous manner. 

12. The method ofclaim 4, wh^in said scan rq)ort contains a set of . 

status data relating to said processmg of said file. 

13. The method ofclaim 12, wherein said status data includes at least 
one data element identifymg the presence or non-presence of a virus in said file. 

14. TTie method ofclaim 13, wherein said report is transferred to said 

filer. 

15. The method ofclaim 14, wherein said rqport is stored in a first 
database: ■ vv- - ; -. - --ra^ 

1 6. The method of claim 1 5, wherein the necessity for subsequent ps^^^^i^ 
scanning of said file is a function of determining whether said database contains said 
report relating to said file and wheflier said file has changed since last accessed. 
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17. The method of claim 16, wherein the necessity for subsequent 
scanning of said file is a function of determining whether additional virus 
identification data files have been added to said processing cluster. 

18. The method of claim 1 9 wherein said deliv^ of a response is said 

file. 



19. The method of claim 1, wherein said delivery of a response 
includes notification to said user lhat said file is unavailable. 

10 

20. The method of claim 1, wherein said step of responding to said ' 
request includes sending said user a copy of said scan report : i : ^ r-: : : : 

21. An apparatus for operating a filer including: 

15 means for receivii^ at a £b^ location a request firom a user for an 

object; 

means for processing said request at a second location, wh^in said 
means for processing includes at least one of the following: (1) means for searching 
for one or more recognizable patterns of data within said object, (2) means for 
20 conapr^ing said object, and (3) means for encrypting said object: 

means for responding to said request, wherein said means for 
responding includes delivery of a response to said user. 



25 



:22. The apparatus of claina 21, wherein said object is a file. 



23. The apparatus of claim 22, wherein said means for processing said 
request furfher includes: 

means for creating an access path from said filer to a processing cluster; 
' means for processing said file in said processing cluster; and 
30 means for generating a scaii r^iHt vl^e^^ said scan iqport is ' " ' 

responsive to said processing of said file in said processing cluster. 

14 
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24. The apparatus of claim 23, wherein said means for creating an 
access path includes means for sending the ID and path of said ffle from said filer to 
said processing cluster. 

25. The apparatus of claim 24, wherein said sending is accon5>lished 
using non-unifoim memory access* 

26. The apparatus of claim 24, wherein said sending is accomplished 
using a conmiunications netwoiic 

27. The ^paratas of claim 24, wherein said sending is accomplished 

•.using a direct connection* ::-■"i^':'v/,^^'K^?^\^:?^':?^>•'•^!•^^^^ • 

28. The apparatus ofclaim 23, wherein sdd processing of said file is 
perfonned by said processing cluster in a round robin fashion for subsequent files 
received. 

29. The apparatus ofclaim 23, wherem said processing ofsaid file is 
performed on atomic units of said file by more ftan one device in said processing 
cluster. 



30. The ^paratus of claim 23, wherein all files stored on said filer are 
scannedin a logical continuous mam^ ■■ ' ''-'■^^■' ■■=>--^'-^mmmm^''^-^^^^ 

31. Theaj^aratusof claim 23, wherein sad scan rgwrt cool^^ 
of status data relating to said proces^ of said file. 



32. Theq>paratusofclaim 31,wheie^ v^r . .. 

one data dement identifying Ihe presence or non-presence of a virus in said file. 
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33. Hie apparatus of claim 3 1 , wherein said report is transferred to said 

filer. 



34. The apparatus of claim 33, wherein said report is stored in a first 

S database* 

35. The apparatus of claim 34^ wherein the necessity for subsequent 
scamiing of said file is a fimction of detenuinixig whether said database contains said 
report relating to said file and i;f^e1her said file has changed since last accessed 

10 

36. The apparatus of claim 35, wherein the necessity for subsequent 
scaiming of said file is a fbiction of detennining wheti^^ 

identification data files have been added to said processing cluster. 

15 37. Ibe^paiatus of claim21, wherem 

delivery of said file. 

38. The apparatus of claim 21, wherein said delivery of a response 
includes delivery of notification to said user that said file is imavailable. 

20 

39. The ^paratus of claim 21, wherein said responding to said request 
includeS'Sending said nser some portion of said scan report. 

r w ' 40. 7:A method of attempting to provide yiins piptecti : 

25 server environment, comprising &e steps of: 
recei^c^areque^ 
sending an identifier for the file 

for viruses; 

. receiyin 
30 fhefileissafetosimdfin^ 
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responding to the request by sending the file if the indication is that the 
fUe is safe to send. 



4 1 . A method as in claim 40, wherein the scanning device indicates 
that the Sle is safe to send if the scanning device detemiines that the file is not 
infected with any viruses. 

42. A method as in claim 40, wherein the request is received from and 
the file is sent to a client device. 

43. A method as in claim 40, wherein the server is a web server. 



- r : : .4^^ Amethodasinclaun40,^?(4ierein thescamun^^^ 
cliister of devices connected to the server that fimction simil^^^ 
device. 

45. A method as in claim 44, wherein flie cluster ofdevices is a cluster 
of interconnected personal computers. 

46. A method ofattenq>ting to provide virus protection in a cUe^^ 
server environment, coniprismg the steps of: 

m a int ai ning a database that indicates if files served by a server are safe 
to sens fit>m the server; 

receivmg a request at the servCT for rfflep^^^ ' 
. iftiie database indicates that the ffle is safe to send, i]^^ 

request by sending the file; and v/^=#.%^#v455^^;?;^^^^^^^ 

if the database does not indicate that the file is safe to send, flien 
sendmg an identifier for the file to a scanning device that scans the file for viruses, 
receiving an indication fix>m the seaming d^ 

to send fixnn the servor, and responding to the lequ^ by sendmg die file if tiie " 
indication is that the file is safe to send. 

17 
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47. A method as in claim 46, wherein maintaining the database further 
comprises the steps of: 

tracking received indications from the scanning device; and 
5 tracking accesses to the jfflie. 

48. A meAod as in claim 47, whereia a tracked indication in the 
database ttiat the Sle is safe to send is cancelled if the fOle has changed since the 
tracked indication was incorporated into the database. 

10 

49. A metiiod as iQ claim 46, wherein the scaiming device indicates 
that the ffle is safe to send if the scanning device determines that 

infected with any viruses. 



15 50. A method as in claim 46, wherein the request is received from and 

the fQe is s^t to a client device. 

51. A method as in claim 46, wherein the server is a web server. 

20 52. A method of atteriq>tirig to provide virus protection in a client- 

saver QQivironment, conq)rising the steps of: 

teceiviog from a server, at a scarmiiig device connected to Ae server, an 
identifier for a file stored on mass storage for the server; 

v,:^-.r:'r^?rr7->-^:v^ywr ^1^!? I?? ^virUSC^ aud ..^,.^^r:.y---.-:.r..^r,-^^:-^^^^ 

25 reporting an iudication to the server as to whether or not the file is 

.infected 

53. A mefliod as in claim 52, further comprismg the step of changing, 
delving, or Qthery^ . 

30 '^''vimses. '''^''Vr '—^-'^^-^^-^^ ...;r j.^:':^.u>:::^.A^s:: ^ . - 
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54. A method as in claim 52, wherein the server is a web server. 



55. A method as in claim 52, wherein the scanning device is one of a 
cluster of devices connected to the server that function similarly to the scanning 
device- 

56. A method as in clahn 55, wherein the cluster of devices is a cluster 
of mterconnected peirsonal computers. 

57. A server that attempts to provide virus protection m a client-server 
environment, comprismg: 

a conmiunication link to cUeiit deviceis; 
■ ". ' / • If- ■ -mass storage 'for filcs^ and* '^2j!L%^f?fSK:535f*r-N^t.*£^^ . 

a processor that executes instructions in order to send requested Sks to 
the client devices, the mstmctions also inchiding instractions (a) to leceive a requ^ 
for a file, (b) to send an identifier for the file to a scanning device that scans the file 
for viruses, (c) to receive an indication fit)m the scanning device as to \diether or not 
the file is safe to send fi-om the server, and (d) to respond to the request by sending 
the file if the indication is that the file is safe to send. 

58. A s»ver as in claim 57, whaein the scanning device indicates fliat 
the file is safe to send if the scannmg device detemiines that the file is not infected 
with any viruses. 

59. A server as in claim 57, whadn the request is recdved fiom and 
.tiie file is srat toja cUtgot <te 

60. Asenferasinclaim57,wlierdn1heserverisawd>seiver. 
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61. A server as ia claim 57, wherein the scanning device is one of a 
cluster of devices connected to the server that function similarly to the scanning 
device. 



5 



62. A server as in claim 61, wherein the cluster of devices is a cluster 



of interconnected pa:sonal computers. 

63. A server that attempts to provide virus protection in a cUeut-servcr 
environment comprising: 



a processor that executes instructions in order to send requested files to 
the di&A devices. Hie instructions also mcluding mstructions (a) to maintain a 



safe to s&xdj to respond to the request by sending the file, and (d) if the database does^ 
not indicate that the file is safe to send, then to send an identifier for tiie file to a 
scannixig device that scans the file for viruses, to receive an indication from the 
scanning device as to whether or not the file is safe to send fix>m the server, and to 
20 respond to the request by sending the file if the indication is that the file is safe to 
send. 

' 64. A server as in claim 63, \dierein the instructions to maintain die 
: . ; :r\ v:^!^^^^ finilier comprise instractions to track received indications fixun the scanning 
25 device, and to tra:Ck accesses to the file. 

65. A server as in claim 64, wherein a tracked indication in the 
database that the file is safe to send is cancelled if the file has changed smce the 
tracked indication was incorporated into the database. 



10 



a communication link to client devices; 
mass storage for files; and 




dstfabase ^ in^cates if iffii^ 
15 to receive a request at the server for a file, (c) if die <k^ 



- 30 
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66. A server as in claim 63, wherein tihie scanning device indicates that 
the file is safe to send if the scanning device detennines that the file is not infected 
with any viruses. 

67. A server as in claim 63, wherein the request is received ftom and 
the file is sent to a client device. 



68. A server as in claim 63, wherein the server is a web server. 

10 69. A scanning device that attempts to provide virus protection for a 

servCT in a client-server environment, comprising: 

a communication link to the serven and 
7?>>— - v.^^ that executes instructions, the instructions inchiding ^ 

mstractions (a) to receive frona 

15 storage for the server, (b) to scan the file for viruses, and (c) to report 
the server as to whether or not the file is infected 

70. A scanning device as in claun 69, wherein the instructions fiirther 
comprise instructions to change, delete, or otherwise modify the file based on a result 

20 of scanning the file for vhuses. 

71. A scanning device as in claim 69, wherein die server is a web 

server. 

2^ 72, A scanning device as in claim 69, wherein the scaiming device 

: . : , pae of a clus^ <tevioK cq^ to the server that similarly to the ^ 

scanning device. 

73. A scaiming & i^/^Ia™ 72, whaemflie cluster of de>dces is 
30 a cluster of interconnected personal con^uteis. 
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74. Storage containing information including instmctions, the 
instructions executable by a processor to attempt to provide virus protection in a 
client-server environment, the instructions comprising the steps of: 

receiving a request at a server for a file; 
S sending an identifier for the file to a scanning device that scans the file 

for viruses; 

receiving an indication fi*om the scanning device as to v^hether or not 
the file is safe to send fix)m the server; and 

responding to the request by sending tibie file if the indication is diat the 
10 file is safe to send. 

75. Storage as in claim 74, wherein the scanning device indicates that 
the file is safe to send if the scanning device determines that the fiyle is not infected 
with any viruses. 



15 

76. Storage as in claim 74, wherein ±e request is received fix>m and the 
file is sent to a client device. 

77. Storage as in claim 74, wherein the server is a web server. 

20 

78. Storage as in claim 74, wherein the scanning device is one of a 
ctusto: of devices connected to the server that fimction similarly to the scanning 
device. 

25 79. Storage as in claim 78, wherein the cluster of devices is a cluster of 

interconnected personal computers. 

80. Storage containing information including instmctions, the 
instructions executable by a processor to attempt to provide virus protection in a 
'30 cUent-server environment, the instmctions coxiq)risin^ 
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maintaining a database that indicates if files served by a server are safe 
to send fironoi the server; 

receiving a request at the server for a file; 
^ • if tte database indicates that the file is safe to send, responding to the 

5 request by sending the file; and 
^ if the database does not indicate that flie file is safe to send, then 

sliding an identifier for the file to a scanning device that scans the file for viruses, 
receiving an indication from the scanning device as to whether or not the file is safe 
to send firom the serv^, and responding to the request by sending the file if the 
10 indication is that the file is safe to send 

8L Storage as in claim 80, wherein maintaining the database further 

, _ traclm 
15 tracking accesses to the file, 

( 82, Storage as in claim 81, wherein a tracked indication in the database 

that the file is safe to send is cancelled if (he file has changed since titie tracked 
indication was incoiporated into the database. 

20 

83. Storage as in claim 80, wherein the scanning device indicates that 
the file is safe to send if the scanning device determines that the file is not mfected 
with any viruses. 

84. Storage as in claim 80, wherein the request is received fi^om and the 

85. Storage as m claim 80, wherein the server is a web server. 



i 
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86. Storage containing infonnation inbluding instructions, the 
instructions executable by a processor to attempt to provide virus protection in a 
client-server environment, the instructions comprising the steps of: 

receiving from a server, at a scanning device connected to the server, an 
id^tifier for a file stored on mass storage for the server; 
scanning the file for viruses; and 

reporting an indication to the server as to whether or not the file is 

infected 

87. Storage as in claim 86, wherein the instructions fiirther comprise 
the step of chan g ing, deleting, or otherwise modifying the file based on a result of 
scanning the file for viruses. 

88. Storage as in claim 86, wherein the server is a web server. 

89. Storage as in claim 86, wherein the scanning device is one of a 
cluster of devices connected to the server that function similarly to the scanning 
device. 



90. Storage as in claim 89, wherein the cluster of devices is a cluster of 
interconnected personal computers. 
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